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AMENDMENTS TO THE CLAIMS 

The listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims 

What is claimed is: 

1.-29. (Cancelled) 

30. (New) An Authentication Gateway (AG) arranged for receiving an access 
request in a telecommunication core network (CN) from an entity (WLAN-AS) in an 
access network (WLAN) where a user with a user's equipment (UE) accesses through, 
the user being a subscriber of the telecommunication CN and being identified by a 
user's identifier included in the access request, the AG having a means for carrying out 
an authentication procedure (SIM-based; AKA; EAP) with the UE through the access 
network (WLAN) in order to authenticate the user; a means for computing at least one 
secret user's key (K c ) usable as cryptographic material, and a means for deriving from 
the cryptographic material (K c ) a user's shared key (SSO_key-1) intended for SSO 
purposes; the AG comprising: 

a means for sending for SSO authentication purposes, the user's shared key 
(SSO_key-1) along with the user's identifier towards a session manager (SSO_SM) 
serving a service network (SN). 

31. (New) The Authentication Gateway (AG) of claim 30, further comprising 
means for being notified that a session at the access level has been established, this 
notification triggering the sending of the user's shared key (SSO_key-1) towards the 
session manager (SSO_SM) serving the service network (SN). 
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32. (New) The Authentication Gateway (AG) of claim 31, further comprising 
means for being notified that a session at the access level has been terminated, and 
means for forwarding this notification towards the session manager (SSO_SM) serving 
the service network (SN) in order to inactivate a current master session for the user. 

33. (New) A session manager (SSO_SM) serving a service network (SN) for 
SSO purposes and arranged for managing a session record for a user accessing the 
service network (SN) through an access network (WLAN), the user having been 
authenticated by a telecommunication core network (CN) where the user holds a 
subscription, the session manager (SSO_SM) comprising: 

a means for receiving a first user's shared key (SSO_key-1) and a user's 
identifier from an Authentication Gateway (AG) of the core network (CN) for SSO 
authentication purposes, the first user's shared key (SSO_key-1) obtainable during the 
authentication of the user by the core network (CN); 

a means for creating a master session for the user that comprises the user's 
identifier and the received first user's shared key (SSO_key-1); and 

a means for checking whether a second user's shared key (SSO_key-2) derived 
at the user's equipment (UE) and received from a service access authentication node 
(SAAN) of the service network (SN) matches the first user's shared key (SSO_key-1) 
included in the master session for the user. 

34. (New) The session manager of claim 33, further comprising means for 
creating a service session to index the master session, in case of matching first and 
second user's shared keys, the service session intended as a token of a successful 
SSO user authentication. 

35. (New) The session manager of claim 34, further comprising means for 
verifying whether a service session indexes an active master session for a user to 
determine if a previous SSO authentication is still valid. 
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36. (New) The session manager of claim 33, wherein the means for checking 
whether a second user's shared key (SSO_key-2) derived at the user's equipment (UE) 
matches the first user's shared key (SSO_key-1) included in the master session, 
comprises means for processing the first user's shared key (SSO_key-1) to obtain a first 
key code (MAC(SSO_key-1)) to be matched against a second key code 
(MAC(SSO_key-2)) originated from the user's equipment. 

37. (New) A service access authentication node (SAAN) for receiving a 
request from a user accessing a telecommunication service network (SN) through an 
access network (WLAN) with a user's equipment (UE), the user already authenticated 
by a telecommunication core network (CN) where the user holds a subscription, the 
request including a user's identifier to identify the user, the SAAN comprising: 

means for verifying whether an active service session is indicated in the request 
from the user's equipment; 

means for obtaining that a user's shared key (SSO_key-2) derived at the user's 
equipment (UE) and stored therein; and 

means for determining in cooperation with a session manager (SSO_SM) serving 
the service network (SN) for SSO purposes whether the user's shared key (SSO_key-2) 
at the user's equipment (UE) matches the one stored in the master session (SSO_key- 
1) for the user. 

38. (New) The service access authentication node (SAAN) of claim 37, further 
comprising means for obtaining a service session for a user from the session manager 
(SSO_SM) serving the service network (SN) for SSO purposes. 

39. (New) The service access authentication node (SAAN) of claim 38, further 
including means for generating an SSO cookie to be submitted to the user's equipment 
(UE), the SSO cookie comprising the service session. 
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40. (New) The service access authentication node (SAAN) of claim 39, further 
comprising means for receiving an SSO cookie from the user's equipment (UE), the 
SSO cookie indicating a service session for the user. 

41 . (New) The service access authentication node (SAAN) of claim 37, further 
comprising means for downloading an SSO plug-in towards the user's equipment, the 
SSO plug-in running for confirming back the user's shared key (SSO_key-2). 

42. (New) The service access authentication node (SAAN) of claim 37, 
wherein the means for obtaining a user's shared key (SSO_key-2) derived at the user's 
equipment (UE) includes means for receiving from the user's equipment an element 
selected from the group consisting of: a key code (MAC(SSO_key-2)) obtainable by 
processing the user's shared key (SSO_key-2) at the user's equipment; and the user's 
shared key (SSO_key-2). 

43. (New) The service access authentication node (SAAN) of claim 42, further 
comprising means for submitting the received element to a cooperating session 
manager (SSO_SM) serving the service network (SN) for SSO purposes. 

44. (New) The service access authentication node (SAAN) of claim 37, for use 
as an HTTP Proxy adapted to receive service requests from users accessing a service 
network (SN) in a Walled-Garden SSO model. 

45. (New) The service access authentication node (SAAN) of claim 37, for use 
as an authentication node of an Identity Provider where a credential request is received 
from a user accessing a service of a service provider (SP) in a Federated SSO model. 

46. (New) A user's equipment (UE) usable by a user with a subscription in a 
telecommunication network, and arranged to access a telecommunication service 
network (SN) through an access network (WLAN), the user's equipment (UE) having 
means for carrying out an authentication procedure (SIM-based; AKA; EAP) to 
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authenticate the user with a core network (CN), where the user holds the subscription, 
through the access network (WLAN), means for computing at least one secret user's 
key (K c ) usable as cryptographic material, means for deriving from the cryptographic 
material (K c ) a user's shared key (SSO_key-2) intended for SSO purposes, and a 
repository for storing the user's shared key (SSO_key-2); the user's equipment 
comprising: 

a means for confirming for SSO authentication purposes, the user's shared key 
(SSO_key-2) stored at the user's equipment towards an entity (SAAN, SSO_SM) in the 
service network (SN). 

47. (New) The user's equipment of claim 46, wherein the means for confirming 
includes a means for downloading an SSO plug-in from an entity (SAAN, SSO_SM) in 
the service network (SN), the SSO plug-in running for confirming back the user's shared 
key. 

48. (New) The user's equipment of claim 46, wherein the means for confirming 
includes a means for processing the user's shared key (SSO_key-2) to obtain a key 
code (MAC(SSO_key-2)) to be transmitted to an entity (SAAN, SSO_SM) in the service 
network (SN). 

49. (New) The user's equipment of claim 46, further comprising means for 
receiving an SSO cookie from an entity (SAAN, SSO_SM) in the service network, the 
SSO cookie to be included in all further service requests from the user's equipment as 
an SSO token. 

50. (New) A method for supporting Single Sign-On services for a user with a 
user's equipment (UE) arranged for accessing a telecommunication core network (CN) 
and service network (SN) through an access network (WLAN), the user being identified 
as subscriber of the telecommunication core network (CN) when accessing the access 
network (WLAN), the method having the steps of carrying out an authentication 
procedure for the user between an entity (AG, HLR) of the core network (CN) and the 
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user's equipment (UE); computing at the entity (HLR, AG) of the core network (CN) at 
least one secret user's key (K c ) usable as cryptographic material; computing at the 
user's equipment (UE) at least one secret user's key (K c ) usable as cryptographic 
material; deriving a first user's key (SSO_key-1) from the cryptographic material at the 
entity (AG) of the core network (CN); deriving a second user's key (SSO_key-2) 
intended for SSO purposes from the cryptographic material at the user's equipment 
(UE); the method comprising the further steps of: 

creating a master session for the user at an entity (SAAN, SSO_SM) in the 
service network, the master session comprising a user's identifier and the first user's 
key (SSO_key-1) usable for SSO authentication purposes; 

confirming, for SSO authentication purposes, the second user's shared key 
(SSO_key-2) derived at the user's equipment towards the entity (SAAN, SSO_SM) in 
the service network (SN); 

verifying whether the second user's shared key (SSO_key-2) matches the first 
user's shared key (SSO_key-1) for the user at the entity (SAAN, SSO_SM) in the 
service network (SN); and 

granting access to the requested service in the service network (SN) on matching 
the first and second user's shared keys. 

51. (New) The method of claim 50, wherein the step of verifying the matching 
of the first and second user's shared keys further includes a step of creating a service 
session to index the master session, this service session intended as a token of a 
successful SSO authentication. 

52. (New) The method of claim 51, further including a step of generating an 
SSO cookie to be submitted to the user's equipment, the SSO cookie comprising the 
service session. 

53. (New) The method of claim 52, further comprising a step of verifying 
whether an active service session is indicated in the request from the user's equipment. 
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54. (New) The method of claim 50, wherein the step of confirming, for SSO 
authentication purposes, the second user's shared key (SSO_key-2) stored at the user's 
equipment, further comprises the step of downloading an SSN plug-in from an entity 
(SAAN, SSO_SM) in the service network (SN), the SSO plug-in running for confirming 
back the user's shared key (SSO_key-2). 

55. (New) The method of claim 50, wherein the step of confirming, for SSO 
authentication purposes, the second user's shared key (SSO_key-2) stored at the user's 
equipment, further comprises the step of processing the user's shared key (SSO_key-2) 
to obtain a key code (MAC(SSO-key-2)) to be transmitted to an entity (SAAN, SSO_SM) 
in the service network (SN). 

56. (New) The method of claim 55, wherein the step of verifying whether the 
second user's shared key (SSO_key-2) matches the first user's shared key (SSO_key- 
1) includes a step of processing at an entity (SAAN, SSO_SM) of the service network 
(SN) the first user's shared key (SSO_key-1) to obtain a first key code (MAC(SSO_key- 
1)) to be matched against a second key code (MAC(SSO)_key-2)) originated from the 
user's equipment. 

57. (New) The method of claim 50, wherein the step of creating a master 
session for the user at the entity (SAAN,SSO_SM) in the service network further 
comprises the step of receiving the first user's key (SSO_key-1) usable for SSO 
authentication purposes from an entity (AG) of the core network (CN). 

58. (New) The method of claim 50, wherein the step of creating a master 
session for the user at the entity (SAAN,SSO_SM) in the service network further 
comprises the step of initiating an access session when the user accesses the access 
network. 
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